Set up wireguard in dev cluster

ansible/lxvm

@@ -1,5 +1,5 @@
 [cluster_nodes]
 #ubuntu1 ansible_host=192.168.42.10
-debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 private_ip=192.168.42.20 interface=enp1s0 dns_server=208.67.222.222
-debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 private_ip=192.168.42.21 interface=enp1s0 dns_server=208.67.222.222
-debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 private_ip=192.168.42.22 interface=enp1s0 dns_server=208.67.222.222
+debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 dns_server=208.67.222.222 vpn_ip=10.68.70.11 public_vpn_port=51820
+debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 dns_server=208.67.222.222 vpn_ip=10.68.70.12 public_vpn_port=51820
+debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 dns_server=208.67.222.222 vpn_ip=10.68.70.13 public_vpn_port=51820

ansible/roles/consul/templates/consul.json.j2

@@ -1,14 +1,14 @@
 {
   "data_dir": "/var/lib/consul",
   "bind_addr": "0.0.0.0",
-  "advertise_addr": "{{ public_ip }}",
+  "advertise_addr": "{{ vpn_ip }}",
   "addresses": {
     "dns": "0.0.0.0",
     "http": "0.0.0.0"
   },
   "retry_join": [
-   {% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #}
-     "{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }}
+   {% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}{# @FIXME: Reject doesn't work #}
+     "{{ hostvars[selected_host]['vpn_ip'] }}" {{ "," if not loop.last else "" }}
    {% endfor %}
   ],
   "bootstrap_expect": 3,

ansible/roles/consul/templates/resolv.conf.j2

@@ -1,2 +1,2 @@
-nameserver {{ private_ip }}
+nameserver {{ vpn_ip }}
 nameserver {{ dns_server }}

ansible/roles/network/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload wireguard
+  service:
+    name: wg-quick@wgdeuxfleurs
+    state: restarted

ansible/roles/network/tasks/main.yml

@@ -9,3 +9,49 @@
     name: net.ipv4.ip_forward
     value: "1"
     sysctl_set: yes
+
+# Wireguard configuration
+- name: "Enable backports repository"
+  apt_repository:
+    repo: deb http://deb.debian.org/debian buster-backports main
+    state: present
+
+- name: "Install wireguard"
+  apt:
+    name:
+      - wireguard
+      - wireguard-tools
+      - "linux-headers-{{ ansible_kernel }}"
+    state: present
+
+- name: "Create wireguard configuration direcetory"
+  file: path=/etc/wireguard/ state=directory
+
+- name: "Check if wireguard private key exists"
+  stat: path=/etc/wireguard/privkey
+  register: wireguard_privkey
+
+- name: "Create wireguard private key"
+  shell: wg genkey > /etc/wireguard/privkey
+  when: wireguard_privkey.stat.exists == false
+  notify:
+    - reload wireguard
+
+- name: "Secure wireguard private key"
+  file: path=/etc/wireguard/privkey mode=0600
+
+- name: "Retrieve wireguard private key"
+  shell: cat /etc/wireguard/privkey
+  register: wireguard_privkey
+
+- name: "Retrieve wireguard public key"
+  shell: wg pubkey < /etc/wireguard/privkey
+  register: wireguard_pubkey
+
+- name: "Deploy wireguard configuration"
+  template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600
+  notify:
+    - reload wireguard
+
+- name: "Enable Wireguard systemd service at boot"
+  service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes

ansible/roles/network/templates/rules.v4.j2

@@ -10,8 +10,8 @@
 -A INPUT -s 192.168.1.254 -j ACCEPT
 -A INPUT -s 82.253.205.190 -j ACCEPT
 {% for selected_host in groups['cluster_nodes'] %}
--A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
--A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT
 {% endfor %}
 
 # Local

ansible/roles/network/templates/wireguard.conf.j2

@@ -0,0 +1,12 @@
+[Interface]
+Address = {{ vpn_ip }}
+PrivateKey = {{ wireguard_privkey.stdout }}
+ListenPort = 51820
+
+{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
+[Peer]
+PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
+Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
+AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
+PersistentKeepalive = 25
+{% endfor %}

ansible/roles/nomad/templates/nomad.hcl.j2

@@ -5,9 +5,9 @@ addresses {
 }
 
 advertise {
-  http = "{{ public_ip }}"
-  rpc = "{{ public_ip }}"
-  serf = "{{ public_ip }}"
+  http = "{{ vpn_ip }}"
+  rpc = "{{ vpn_ip }}"
+  serf = "{{ vpn_ip }}"
 }
 
 data_dir = "/var/lib/nomad"
@@ -25,10 +25,10 @@ client {
   enabled = true
   #cpu_total_compute = 4000
   servers = ["127.0.0.1:4648"]
-  network_interface = "{{ interface }}"
   options {
     docker.privileged.enabled = "true"
     docker.volumes.enabled = "true"
   } 
+  network_interface = "wgdeuxfleurs"
 }
 

ansible/roles/storage/tasks/main.yml

@@ -48,7 +48,7 @@
       nfs.export-volumes: "off"
       cluster.lookup-optimize: "on"
 
-    cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
+    cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['vpn_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
   run_once: true
 
 - name: "Create mountpoint"
@@ -61,7 +61,7 @@
   tags: gluster-fstab
   mount:
     path: /mnt/glusterfs
-    src: "{{ private_ip }}:/donnees"
+    src: "{{ vpn_ip }}:/donnees"
     fstype: glusterfs
     opts: "defaults,_netdev,noauto,x-systemd.automount"
     state: present